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Abstract 

As a powerful cryptanalysis tool, the method of return-map attacks can be used to extract secret 
messages masked by chaos in secure communication schemes. Recently, a simple defensive mechanism was 
presented to enhance the security of chaotic parameter modulation schemes against return-map attacks. 
Two techniques are combined in the proposed defensive mechanism: multistep parameter modulation and 
alternative driving of two different transmitter variables. This paper re-studies the security of this proposed 
defensive mechanism against return-map attacks, and points out that the security was much over-estimated 
in the original publication for both ciphertext-only attack and known/chosen-plaintext attacks. It is found 
that a deterministic relationship exists between the shape of the return map and the modulated parameter, 
and that such a relationship can be used to dramatically enhance return-map attacks thereby making them 
quite easy to break the defensive mechanism. 
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1 Introduction 

In the past two decades, chaotic s ystems have b een ex tensively used to construct cryptosystems in either analog 
[Alvarez et al or digital forms. Most analog implementations are secure commu- 

nicat ion systems based on synchronization of the sender and the receiver chaotic systems Pecora fc Carroll 
where the signal is transmitted over a public channel from the sender to drive the receiver for achiev- 
ing synchronizati on and message dec r yption. Some differen t encryption structures have been proposed: 
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and the inverse system approach 



to break the proposed chaos-based secure communicat i on syst ems: return-map attacks [Perez fc Cerdeiral 
| 1995| IZhou fc ChenL Il997t [ Yang et alV Il998cl: iLi et oil l2005bl. nonhnear prediction based att acks [Shoril 
ll994ill997HZhou fc LaiLll999l |, spec tol analysis attacks [Yang et adll998aHAlvarez fc Lil2004aj . generalized 
synchro nization (GS ) based attacks lYang eit oil Il998bl: lAlvarez et adl2005ail2004bj short-time period based - 
attacks lYangl lipgst [Alvarez fc Lil . l2004bll parameter identifi cation based attacks Stoianovski et al\ . Il996l: 
iTao et aZ.U2003HVaidya fc Angadl 120031: [Alvarez et aZ.U2004at . and so on. 

Given the existence of so many different attacks, it has become a real challenge to design highly secure chaos- 
based communication systems against all known attacks. Three general countermeasures have been proposed 
in the literature: 1) using more complex dynamical systems, such as hig:h-dimensional hyperchaotic systems o r 
multiple cascaded (heterogeneous) chaotic systems Grassi fc Mascolol[l999aHMurall [2000HYao et ad[2003ll: 
2) introducing tr aditional ciphers into the chaotic cryptosystems [Yang et adll997H G rassi fc Mascoldll999bt 
[Lian et oil . [2003| : 3) introducin g an impulsive (also named sporadic) driving signal inste ad of a continuous 
signal to reahze synchronization Yang fc Chual Il99^ lHgj^j_g|Jj2QQ gt iKhadr;^ ^^ The first counter- 

measure has been foun d insecure against some attacks [Short fc Parkeil[l998l[Ztiou fc Lail Il999t [Huang et al 



[2001; "Tao et all '200^, and some security defects of the second countcrmcasure have also been reported 
[Parkcr fc ShorL.2GGlj . but the last one has not yet been cryptanalyzcd to date. 
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Besides the above three general countermeasures, there also exist some specially-designed countermeasures 
th at can be used to resist certain att acks. This paper studies two such countermeasures, recently proposed 
by IPalanivandi fc LakshmananI 200 ij . against return- map attacks. These two proposed countermeasures are 
multistep parameter modulation and alternative driving of transmitter variables, which have been combined 
to construct a new secure communication scheme for binary signal transmissions. After refining return-map 
attacks via a deterministic relationship between the return m ap and a parameter b^, we found that the 
security of the first countermeasure was much over-estimated in [Palanivandi fc LakshmananI l200lj , and that 
the combination of the two countermeasures can be easily separated in some way so as to disable the second 
countermeasure. The aforementioned deterministic relationship between the return map and the parameter 
bs is reported in this paper, for the first time in the literature, which is useful not only for engineering studies 
on chaos-based secure communications but also for theoretical studies on the dynamics of chaotic systems. 

The rest of this paper is organized as follows. In the next section, a brief introduction to return-map attacks 
and related countermeasures is given. Section|21re-evaluates the security of the multistep parameter modulation 
scheme, by exploiting a deterministic relationship betwee n the shape of the return map and the modulated 
parameter b^. The original return-map attack proposed bv lPerez fc Cerdeiral |l995j will be enhanced. In Sec. 
0] cryptanalysis of the scheme of alternative driving of transmitter variables is studied in detail. The last 
section concludes the paper. 



2 Return-Map Attacks and Related Countermeasures 

The return-map attack method was first proposed by rez fc Cerdeiral Il99,^ to break chaotic switching 
(binary pa rameter modulatio n) and chaotic masking schemes based on the Lorenz system, which was then 
studied bv lYang et al\ jl998cl |_to break chao tic ma sking, switching and non-autonomous modulation schemes 
based on Chua's circuit. In |Zhou fc Ch eni Il997f . t he return-map attack metho d was also used to break a 
DCSK scheme based on a discrete-time chaot ic map IPar li^z E rgezingeilll994j . Without loss of generality, 
this paper will focus on the attack scheme of IPerezfcCerdeiral on the Lorenz system thereby demonstrating 
how the ret urn map is constructed and how the attack works to break a typical chaotic switching scheme 
proposed in [Cuomo fc OpenheimL[l99^ . 

Consider the following Lorenz system used as the sender: 



(1) 



where (7,bs,r are system parameters, and the value of bg is modulated by m{t), the digital plain-signal for 
secure transmission, as follows: 
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To transmit m(t) to the receiver end, a variable of the sender system, such as Xg, is sent out, which will be 
used to induce synchronization of the receiver system, resulting in: 



(2) 



where b^ = b^. When m{t) = 0, the intended synchronization can be reached, while when m{t) = 1, the 
synchronization error always remains at a certain finite order. Then, it is easy to decode the secret s ignal 
m{t) by checking the power energy {xr — XsY with a digital filter. Following ICuomo fc Qpenheiml |l993j . the 
parameters are set as cr = 16, r = 45.6, 6o = 4.0 and bi = 4.4. 

However, the abo ve chaotic switching sche me can be easily broken with the return map constructed from 
Xs as pointed out in |Perez fc Cerdeiral 1 1995j . Assuming that Xm and are the m-th maxima and jTi-th 
minima of Xs, respectively, define the following four variables: Am ~ ^™.+Y,n _ _ Xm — Y„i, Cm = — ^^^-^^ — —, 



Dm = Ym — Xm+1, and then construct two return maps, {Am vs Bm) and {—Cm vs —Dm), as shown in Fig. 
n The two maps are actually equivalent to each other, so we only consider the map {Am. vs Bm) in this 
paper. Note that there are three segments in the return map, and each segment is further split into two 
strips. It is obvious that the split of the map is caused by the switching of the value of bs between bo and 
bi. Thus, by checking which strip the point {Am, Bm) falls on, one can easily unmask the current value of the 
digital signal m{t). Since one has to assign either 0-bit or 1-bit to a strip in each segment, it was claimed in 
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Figure 1: The return maps constructed for a typical chaotic switching scheme. 

|Perez fc Cerdeiral 1 1 9951 that there are only seven chances to make wrong assignments, which can be easily 
detected by observing the waveform of the reconstructed digital signal m{t). 

In recent years, so me different countcrmeasures have been proposed to resist the above return-map attack. 
In |Bu & Wand.l2004l . a periodic signal goit) = Acos{ujt + (j)o) is combined with Zs to modulate the transmitted 



signal Xs so as to blur the reconstruct e d return map in order to frustrate the atta cker. However, soon it 
was broken as reported in |Chee et "di \2004. IWn et all 120041 lAlvarez et oA l2005bl | via distin guishing the 
param eters uj, 4>q and re moving the modul ating signal. A modified scheme of the original method o f iBu & WangI 
|2004j was proposed in \SSf\i et all . l2004j to further im prove its securit y. Our recent work shows that this 
modified modulating scheme is still not secure enough |Li et ~ai\. l2005al and that the modulating signal can 
still b e effectively removed via parameter s estimation. 

In [Palanivandi fc Lakshmananl l200lj , two new countcrmeasures were proposed and combined to enhance 
the security of chaotic switching schemes against return-map attacks. The first countermeasure is to increase 
the number of strips by modulating bs between 2n different values: foo,ir'' i ^o.n and where 
&o,i,''' 7^o,n correspond to m{t) = and - correspond to m{t) = 1. This coimtermeasure is 

called multistep parameter modulation, and accordingly the original two-valued chaotic switching scheme is 
called single-step parameter modulation. It was claimed that the chances to make wrong assignments become 
(2^" — 2)'^ — 1 « 2^" and that the security against return-map attacks is dramatically enhanced even when n is 
not too large. Figure El shows the return map constructed from Xg when the multistep parameter modulation 
is used, where n = 5 and foo.; G {3.2,3.4,3.6,3.8,4.0}, bi^i G {3.1,3.3,3.5,3.7,3.9}. It can be seen that 
each segment is split into 2?! = 10 strips. The second countermeasure is to alternatively use Xs and ys 
as the driving signal to force the receiver system to synchronize with the sender, which will further split 
the constructed return map into two parts: one corresponds to the map from Xs and another to the map 
from Us, as shown in Fig. It can be seen that two segments of the Xg-map and the ?/s-map largely 

overlap each other. In a multistep parameter modulation system, the receiver contains 2n different driven 
sub-systems, which are used to realize synchronization for the 2n different values of bg, respectively. When 
alternative driving is also applied, the number of sub-systems is doubled to be 4n, among which 2?? correspond 
to Xg-driving synchro nization and another 2n to jy , c-driv ing synchronization. For more details about the two 
countermeasures, see [Palanivandi fc LakshmaniinL l2r 



3 Re- Evaluating the Security of Multistep Parameter Modulation 

The security of multistep parameter modulation relics on the fact that the attacker has to assign 0-bits or 
1-bits for all strips in the return map. Since there are 6n stripes in total, the success probability to make a 
right assignment is i.e., the attack complexity is 2^". Note that the a bove analysis on the security i s mor e 
rigorous, from the cryptographical point of view, than the one given in Palanivandi fc Lakshmana 



where the latter enumerated the number of making wrong assignments under the assumption that the first 
assignment is correct. Of course, the order of the estimated attack complexity is the same. 

^Different from Xs, there exist some small fluctuations in ys- The faked maxima and minima induced by the small fluctuations 
should be removed from the return map; otherwise, the map will become completely meaningless. For the return map plotted in 
Fig. |3] therefore, if the difference between two consecutive maxima and minima is less than 1, they will be omitted. 
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a) a full view of the return map b) a local view of Segment 1 

Figure 2: The return map constructed from Xg in multistep parameter modulation. 
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Figure 3: The return map constructed in multistep parameter modulation with alternative Xs/Vs driving. 



The above security estimation is based on the assumption that all 6n strips are independent of each other. 
However, we found that this assumption is not true and that there exists a deterministic relationship between 
the positions of the strips and the 2?! different values of the modulated parameter 6s, and this relationship 
will dramatically reduce the attack complexity in all attacking scenarios. In Fig. the two return maps 
corresponding to &s = 3 and 6s = 4 respectively are plotted to show such a deterministic relationship. One 
can see that the three segments corresponding to 6^ = 3 are closer to the origin, while the three segments 
corresponding to 6^ = 4 are farther. This means that there exist only two possibilities to assign the 0/1-bits 
to all strips in the chaotic switching scheme (see Fig. for all three segments, assign 0-bit (or 1-bit) to the 
strip closer to the origin and 1-bit (or 0-bit) to the other one. If the relationship between 6o and 6i is also 
known to the attacker, he can uniquely determine the right assignment to completely break the plain-signal. 
Apparently, the above analysis can be easily generalized to multistep p arameter modulation. Figure shows 



: iP^ 

Palanivandi fc LakshmananL l2001j . It 



the return maps corresponding to the 10 different values of hg used in 
can be seen that Fig. is almost identical with the return map shown in Fig. Et- Thus, it is easy to mark 
each strip of the return map shown in Fig. with one of the 2n ~ 10 possible values of 6^. For example, 
for Segment 1 shown in Fig. \Bp, the i-th strip corresponds to 6s ~ 3.0 + O.li. This means that the task 
of assigning 0/1-bits to 6n strips is changed to another equivalent task of assigning 0/1-bits to 2n different 
values of 6s. Considering that there are n values corresponding to 0-bits and other n values to 1-bits, one can 
easily deduce that the number of all possible bit assignments is 2 • (^^) = 2 • -[It^, which is O (^7^) when 
n S> 1 following Stirling's approximation Weissteinl . l2004b| . As a conclusion, the attack complexity is always 
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much smaller than O (2^"), the original complexity estimated in [Palanivandi fc LakshmananL l20oH . Table 
n shows a comparison of the two complexities. From the cryptographical point of view, based o n today's 
comp uter technology, a practically secure cryptosystem should have a complexity of order O (2^"°) [SchneieJ . 
Il99fil |. which requires n > 50 following the data shown in Tabled However, in this case, 4n > 200 sub- 
systems have to be constructed to realize the decryption of the transmitted digital signal m(t), which makes 
the implementation too costly for most practical applications. If the security can be relaxed to order of 2^", 
4n > 32 sub-systems are enough to be practical in some applications (though still much more costly than 
other chaos-based secure communication systems). Note that the implementation cost will be acceptable in 
practice, if all the sub-systems can be realized with the same chaotic circuit. 




a) the return maps corresponding to 6s = 3 and b) the return maps corresponding to 

6s =4 6s = 3.1,3.2,--- ,3.9,4.0 

Figure 4: A deterministic relationship between the return map and the modulated parameter 6s. 



Table 1: A comparison of the real complexity 2 • (^^) and the over-estimated complexity 2^". 
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Note that one can extra ct som e right bits even with a wrong bit assignment. For instance, for the example 
given in [Palanivandi fc La kshma nanl l200lj . 1-bits are assigned to 6s G {3.1,3.3,3.5,3.7,3.9} and 0-bits to 
6s € {3.2,3.4,3.6,3.8,4.0}, so one can get about 80% of right bits with the following bit assignment: 1-bits 
are assigned to 6s G {3.1,3.3,3.5,3.7,4.0}, and 0-bits to 6s G {3.2,3.4,3.6,3.8,3.9}, where the bold values 
correspond to wrong bits. Generally speaking, if there are 2i values corresponding to wrong bits, the bit error 
ratio (BER) at the attacker end will be i/n, i.e., the probability to get right bits is 1 — {i/n)- Note that when 

1 < n/2, the attacker can simply flip all assigned bits to get a lower BER {n ~ i)/n = 1 — {i/n). From such a 
point of view, the worst bit assignment occurs when i = ln/2\ or [ri/2]. Considering that the bit assignment 
can be regarded as an equivalent of the secret key, the above fact means that the decryption of multistep 
parameter modulation is insensitive to the mismatch of the secret key. However, such an insensitivity does not 
reduce the attack complexity by too much, since the number of wrong assignments corresponding to z = ['T-/2J 

or [n/2] is in the same order as the complexity O (^^y^^ when n ^ 1: the number is 2 • (|^„/2j) ' (ri-[n/2j) ~ 

2 • ([„/2j) • ([«/2l) ~0(^^y which is not much smaller than O (^). 

In cryptography, there are many different attacking scenarios |Schneieil Il996l | . A cryptographically secure 
cryptosystem should be immune to all kinds of attacks. The above attack complexity of multistep parameter 
modulation is for the simplest attack - the ciphertext-only attack, where the attacker can only observe some 
ciphertexts. When some other attacking scenarios are available, the security of multistep parameter modulation 
will be dramatically downgraded. 

Now, let us consider the security against known-plaintext and chosen-plaintext attacks, where the attacker 
can get or choose some plaintexts to carry out the attacks. Such attacks are feasible in some real applications 
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and become more and more common in the digital networked world today. In known/chosen-plaintext attacks, 
it is obvious that the knowledge about some plaintexts means the knowledge about the bit assignment of 
the 6n strips: when m(t) = (or 1), one immediately knows that the strip on which a point (A,„,i?,„) lies 
corresponds to a 0-bit (or 1-bit), and then knows that other two strips marked with the same value of bg also 
correspond to 0-bits (or 1-bits). That is, he can assign a 0-bit (or 1-bit) to the value of bg corresponding to 
the distinguished strip. Once n 0-bits (or 1-bits) have been assigned to n different values of bg, the attacker 
can directly assign 1-bits (or 0-bits) to all other undetermined values so as to complete the attack. For the 
number of required known/chosen plain-bits in the above attack, we have the following theoretical result. 

Theorem 1 Assume that bg distributes uniformly over the set of 2n values and that any two values of bg 
are independent of each other. Then, the average number of required known/chosen plain-bits in the above 
known/chosen-plaintext attack is 3n. 

Proof: Denote the k{> 1) known/chosen plain-bits by ■ ■ ■ , Bk G {0, 1}, and the corresponding values of 
bg by bi^\ • • • , bi''\ The condition that the attack is completed for the k known/chosen plain-bits equals to 
the following term: n — 1 values corresponding to 0-bits (or 1-bits) have occurred in bi^\ ■ • • , bi''^^\ and 
is the first occurrence of the last value. Considering that each value occurs with a uniform probability p ~ 
and any two values are independent of each other, it is easy to get the probability that the attack stops with 
k known/chosen plain-bits, P{k), as follows: 



P{k) = {^' , (3) 



Substituting k' — k ~ n into the above equation, one can get P{k') = p(l — p)^ ,yk' > 0. It is o bvious that 
P(k') obeys a geometric distribution, and one can immediately deduce that E{k') = p^^ = 2n WeissteinL 
l2004aj . That is, E{k) = E{k' + n) = E{k') +n = ?,n. The proof is thus completed. ■ 

Since n cannot be too large to make the cryptosystem practical in real applications, the above theorem 
shows that multistep parameter modulation is not sufhciently secure against known/chosen-plaintext attacks. 
In Fig. [SJ we give an example of known/chosen-plaintext attacks. It can be seen that three different values of 
bg, i.e., nine strips in the return map, are successfully distinguished with only three known/chosen plain-bits. 



4 Breaking Alternative Driving of Transmitter Variables 

In this section, we consider how to break another countermeasure - alternative driving of transmitter variables. 
Following the example given in |Palanivandi fc Lakshmanani 12001 , we focus on the x/y-driving of the Lorenz 



system. Although the alternative driving can make the return map less clearer by introducing overlaps of 
the Xs-map and the y^-map, it is found that the two overlapped sub-maps can be easily separated so that an 
attack can be carried out on the two sub-maps separately. 

Since there are only two possible driving signals, the separation of the two driving signals can be simplified 
to the problem of detecting the times at which the driving signal, denoted by dg here, changes from Xg to yg or 
from yg to Xg . This can be easily done by observing the differentiations of dg , since the alternative driving will 
introduce breaking points at each switching time (i.e., discontinuities in dg). Considering that chaotic signals 
Xg{t) and yg{t) are both continuous, the switching times can be easily distinguished from sudden and large 
differentiations of dg , where the word "sudden" means that the differentiation at a time t is much larger than the 
others around it. In Fig. El the first-order, second-order, 4th-order and 8th-order discrete-time differentiations 
of dg are shown for demonstration, where the display range on the y-axis is always limited within [—20, 20] to 
emphasize some sudden and large changes of differentiations with relatively small amplitudes. It can be seen 
that all switching times are sufficiently prominent in the 8th-order differentiations. Once the switching times 
are detected, one can easily separate the Xg-map and the y^-map to break the multistep parameter modulation 
as discussed in the last section. 

In fact, it is even possible to directly separate the two sub-maps without calculating differentiations of dg. 
Observing Fig. |31 one can find that the overlaps of the two sub-maps are not very significant, which makes it 
possible to separate the two sub-maps directly from the alignment directions of consecutive points {Am, B,n)- 
When Xs-driving is used for odd bits and yg for even bits. Fig. [7| shows the positions of the points {Am, Bm) 
in the return map for < t < 30. In spite of the existence of a few error points and ambiguous points, 
which are mainly introduced by the faked maxima and minima near the switching times, it is still very easy to 
distinguish which driving signal was used from the alignment direction of the points {Am, Bm) corresponding 
to the current bit (i.e., to the current value of bg). The accidental errors and ambiguous points can be easily 
removed by filtering techniques. 
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Figure 5: The known/chosen-plaintext attack to multistep parameter modulation, when 10 < i < 30. Legend: 
O - < t < 10, m{t) = 1, b, = 3.5; O - 10 < t < 20, m{t) = 1, &^ = 3.3; □ - 20 < t < 30, m{t) 0, = 3.4. 



Finally, we examine the attack complexity when both countermeasures are used in a secure communication 
system. Since there exist 12n strips, the average number of plain-bits in known/chosen-plaintexts attacks will 
be 2 • 3n = 6n, which means that the security against known/chosen-plaintext attacks is still rather weak. The 
security against ciphertext-only attacks is relatively higher: (2 • {^^^)) ■ However, note that an attacker can 
extract 50% of all plain-bits, even when he only exhaustively guesses the right bit assignment corresponding to 
the Xs-map or the y^-map. Thus, strictly speaking, the security against ciphertext-only attacks is still in the 
order of 2 • {^^), i.e., the same as the one under the condition that only the first countermeasure is used. As 
mentioned above, to make the designed secure communication system sufficiently secure, n > 50 is required. 



5 Conclusion 



To resist the return-map attack presented in Perez fc Cerdeiral Il995l | , IPalanivandi fc LakshmanarJ 200lj pro 



posed two countermeasures to enhance the security of the chaotic switching (i.e., binary parameter modulation) 
scheme. After refining the return-map attack by exploiting a deterministic relationship between the return map 
and the modulated parameter, this paper points out that these two countermeasures are not secure enough 
against known/chosen-plaintext attacks. Also, it is found that the security against ciphertext-only attacks 
cannot be ensured if the proposed secure communication system contains less than 200 sub-systems. 

The cryptanalysis results given in this paper show that one has to use mor e powerful techniqu es to effectively 
resist return-map attacks. Recently, a new CSK scheme was proposed in |Xu fc Cheel l2004l | by introducing 
many false switching events. It is under study whether or not this new CSK scheme is secure against the 
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Figure 6: The first-order, second-order, 4th-ordcr and 8-th order (from top to bottom) discrete-time differen- 
tiations of the transmitted signal dg, where At = 0.01. 



return-map attack described in this paper. At present, it is still an open problem to design a chaos-based 
secure communication system that is strong enough against all known attacks, and to find more powerful 
cryptanalysis tools to evaluate the security of various chaos-based cryptosystems. 
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